Expand description
RFC 4158 certification path building for pkix_path.
Accepts an unordered collection of certificates (CertPool) and
constructs a valid ordered chain suitable for pkix_path::validate_path.
§Relationship to pkix-path
pkix-path validates a caller-ordered &[Certificate]. This crate
handles the prior step: discovering and ordering that chain from a bag
of certificates when the caller does not know the chain order in advance.
Cross-certificates and bridge CA topologies are handled here, not in
pkix-path.
§Algorithm
build_path and build_path_with_config use iterative-deepening DFS
(RFC 4158 §2.5): they try increasing maximum path depths from 1 up to
PathBuilderConfig::max_depth (default DEFAULT_MAX_DEPTH = 10),
performing a full DFS at each depth. This guarantees that the shortest
valid path is returned while bounding memory to O(depth) stack frames
per attempt.
§Spec references
- RFC 4158 — Internet X.509 PKI: Certification Path Building
- RFC 5280 §6.1 — the validation algorithm this crate feeds into
§no_std
This crate is no_std but requires the alloc crate. The extern crate alloc
declaration is provided automatically; you do not need to add it yourself, but
your target must supply a global allocator (e.g., #[global_allocator]).
Structs§
- Cert
Pool - An unordered collection of certificates used as input to path building.
- Path
Builder Config - Tunable parameters for path building.
Enums§
- Error
- Errors returned by path building.
Constants§
- DEFAULT_
DFS_ BUDGET - Default DFS node-visit budget for a single iterative-deepening round.
- DEFAULT_
MAX_ DEPTH - Default maximum number of intermediate certificates considered.
Functions§
- build_
path - Build a certification path from
targetthrough certificates inpoolto one of the provided trust anchors. - build_
path_ with_ config - Build a certification path with caller-provided budget and depth tunables.
Type Aliases§
- Result
- Result alias for this crate.